The code enumerates entries under this Registry key:<\/p>\n
- \n
- HKLM\\System\\CurrentControlSet\\
\nControl\\MUI\\CallbackDlls\\
\n{ENTRY}\\DllPath=<DLL><\/li>\n<\/ul>\nOn Windows 7, we can see a number of these entries:<\/p>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/10\/callbacks1.png\")
<\/a><\/p>\nand Windows 10 has even more – I really doubt this code is going away:<\/p>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/10\/callbacks2.png\")
<\/a><\/p>\nEach entry includes the DllPath that points to a library. The only requirement is that all these libraries must be signed…<\/p>\n
Now, how to trigger it?<\/p>\n
It’s simple: just change the system locale…<\/p>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/10\/callbacks4.png\")
<\/a>Once you do that, you can observe Procmon log showing the enumeration:<\/p>\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/10\/callbacks3.png\")
<\/a><\/p>\nAgain, the exact criteria when the DLLs are loaded and how are not clear to me, and there may be other times when the code is triggered, but finding these out is a homework exercise for the reader \ud83d\ude09<\/p>\n
It’s certainly not the best persistence mechanism, but yet another place to look at, just in case…<\/p>\n","protected":false},"excerpt":{"rendered":"
I was pretty surprised to find this one as I have looked at kernel32.dll many times before. Seeing a code branch that is responsible for enumerating registry subkeys and loading the DLLs, and one that has not been discussed before, … Continue reading